I’m experiencing unexpected behavior, and I’m wondering if this is a bug or by design.
As the relevant npm docs state,
npm-shrinkwrap.json files are published to the registry, and should only be considered for a CLI tools and devDependencies.
I’m working on a package that is indeed a CLI that is defined as a devDependency of the apps that consume it.
My goal is to never break the build of the consuming apps because of updates in transitive dependencies that my tool depends of.
npm-shrinkwrap.json indeed achieves this goal because it’s published to the registry, and when consuming apps run
npm install, the exact versions of the packages that are listed in my published
npm-shrinkwrap.json are installed in the nested
node_modules directory inside the directory of my tool within the root
However, this desired behavior breaks if the consuming app has an
.npmrc file that defined
I expect that if the app decides to not use a
package-lock.json file that’s their business for the rest of the package that depend on, but since my package did publish an
npm-shrinkwrap.json file, I expect that it will always be installed with the specific exact versions defined within.
Steps to reproduce:
- create 3 packages:
- add a
toolwith an exact version of
toola devDependency of
- npm install in
app/nodes_modules/tool/node_modules/dependency should exist and contain the exact version of
dependency defined in the
app/nodes_modules/tool/node_modules/dependency does not exist.
dependency only exists in the root
node_modules folder, and the specific version of
dependency is not locked to a specific version.
Is this behavior a bug or by design?
If it’s a bug, what should be done so it will be fixed? Is there a workaround to achieve predictably reproducible builds for my tool in another way?
If it’s by design, where is it documented?